[JDEV] [SECURITY] Remote roster manipulation bug in various Jabber clients
Jamin W. Collins
jcollins at asgardsrealm.net
Wed Jul 2 17:47:20 CDT 2003
On Wed, Jul 02, 2003 at 05:19:19PM -0400, Julian Missig wrote:
> On Wednesday, Jul 2, 2003, at 16:53 US/Eastern, Jamin W. Collins wrote:
> >On Wed, Jul 02, 2003 at 10:05:11PM +0200, Jacek Konieczny wrote:
> >
> >>3. Impact
> >>
> >>The attack cannot be done from Jabber client connection to jabberd
> >>1.4.x server because of similar bug (or feature) in this server - it
> >>doesn't check "to" attribute and all such <iq/>s treats as directed to
> >>the server. Attacker roster stored on server is modified instead of
> >>victims ones.
> >
> >Wouldn't this still be a concern? The roster on the server would be
> >modified and only corrected if the client exited properly, thus
> >resyncing it's list to the server, right?
>
> Why would it be a concern? It's the *attacker's* roster which would be
> modified in that case, not the victim's. As an aside, clients typically
> do not "resync" their lists to the server when they exit.
You know I read that 3 times and continually inverted the victim and
attacker. Sorry about that, it's been one of those days.
--
Jamin W. Collins
To be nobody but yourself when the whole world is trying it's best night
and day to make you everybody else is to fight the hardest battle any
human being will fight. -- E.E. Cummings
More information about the JDev
mailing list